nspawn: only copy syscall filters from settings if actually configured

As in the previous commit, let's not copy settings that aren#t configured, so that --settings=override with an empty .nspawn file is truly a NOP.
author: Lennart Poettering <lennart@poettering.net> 2021-11-09 18:26:53 +0100
committer: Lennart Poettering <lennart@poettering.net> 2021-11-09 18:32:25 +0100
commit: 2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf (patch)
tree: 15febc6d1eb03041d77c50c6fdfb74e385800979 /src/nspawn
parent: 0cc3c9f997d0ea39f0309e74117a033635b2291f (diff)
download: systemd-2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf.tar.gz
1 files changed, 14 insertions, 10 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 3209b50417..9adc166aa9 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4462,19 +4462,23 @@ static int merge_settings(Settings *settings, const char *path) {
 
         if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) {
 
-                if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list))
-                        log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path);
-                else {
-                        strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list);
-                        strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list);
+                if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) {
+                        if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list))
+                                log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path);
+                        else {
+                                strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list);
+                                strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list);
+                        }
                 }
 
 #if HAVE_SECCOMP
-                if (!arg_settings_trusted && settings->seccomp)
-                        log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
-                else {
-                        seccomp_release(arg_seccomp);
-                        arg_seccomp = TAKE_PTR(settings->seccomp);
+                if (settings->seccomp) {
+                        if (!arg_settings_trusted)
+                                log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
+                        else {
+                                seccomp_release(arg_seccomp);
+                                arg_seccomp = TAKE_PTR(settings->seccomp);
+                        }
                 }
 #endif
         }
author	Lennart Poettering <lennart@poettering.net>	2021-11-09 18:26:53 +0100
committer	Lennart Poettering <lennart@poettering.net>	2021-11-09 18:32:25 +0100
commit	2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf (patch)
tree	15febc6d1eb03041d77c50c6fdfb74e385800979 /src/nspawn
parent	0cc3c9f997d0ea39f0309e74117a033635b2291f (diff)
download	systemd-2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf.tar.gz